Bulk update Attack discoveries | Kibana API documentation

Bulk update Attack discoveries Technical Preview; added in 9.2.0

POST /api/attack_discovery/_bulk

Spaces method and path for this operation:

post /s/{space_id}/api/attack_discovery/_bulk

Refer to Spaces for more information.

Performs bulk updates on multiple Attack discoveries, including workflow status changes and visibility settings. This endpoint allows efficient batch processing of alert modifications without requiring individual API calls for each alert. Technical preview

application/json

Body Required

Bulk update parameters for Attack discoveries

update object Required

Configuration object containing all parameters for the bulk update operation
Hide update attributes Show update attributes object
- enable_field_rendering boolean
  
  Enables a markdown syntax used to render pivot fields, for example {{ user.name james }}. When disabled, the same example would be rendered as james. This is primarily used for Attack discovery views within Kibana. Defaults to false.
  
  Default value is false.
- ids array[string] Required
  
  Array of Attack discovery IDs to update
- kibana_alert_workflow_status string
  
  When provided, update the kibana.alert.workflow_status of the attack discovery alerts
  
  Values are open, acknowledged, or closed.
- visibility string
  
  When provided, update the visibility of the alert, as determined by the kibana.alert.attack_discovery.users field
  
  Values are not_shared or shared.
- with_replacements boolean
  
  When true, returns the updated Attack discoveries with text replacements applied to the detailsMarkdown, entitySummaryMarkdown, summaryMarkdown, and title fields. This substitutes anonymized values with human-readable equivalents. Defaults to true.
  
  Default value is true.

Responses

200 application/json

Successful response containing the updated Attack discovery alerts
Hide response attribute Show response attribute object
- data array[object] Required
  
  Array of updated Attack discovery alert objects. Each item includes the applied modifications from the bulk update request.
  
  An attack discovery that's also an alert (Public API with snake_case)
  
  Hide data attributes Show data attributes object
  
  alert_ids array[string] Required
  
  The alert IDs that the attack discovery is based on
  
  alert_rule_uuid string
  
  The optional kibana.alert.rule.uuid of the rule that generated this attack discovery (not applicable to ad hock runs)
  
  alert_start string
  
  The optional time the attack discovery alert was created
  
  alert_updated_at string
  
  The optional time the attack discovery alert was last updated
  
  alert_updated_by_user_id string
  
  The optional id of the user who last updated the attack discovery alert
  
  alert_updated_by_user_name string
  
  The optional username of the user who updated the attack discovery alert
  
  alert_workflow_status string
  
  The optional kibana.alert.workflow_status of this attack discovery
  
  alert_workflow_status_updated_at string
  
  The optional time the attack discovery alert workflow status was last updated
  
  connector_id string Required
  
  The ID of the connector that generated the attack discovery
  
  connector_name string Required
  
  The (human readable) name of the connector that generated the attack discovery
  
  details_markdown string Required
  
  Details of the attack with bulleted markdown that always uses special syntax for field names and values from the source data.
  
  entity_summary_markdown string
  
  An optional, short (no more than a sentence) summary of the attack discovery featuring only the host.name and user.name fields (when they are applicable), using the same syntax
  
  generation_uuid string Required
  
  The generation ID of the run that created the attack discovery
  
  id string Required
  
  The unique ID of the attack discovery
  
  mitre_attack_tactics array[string]
  
  An optional array of MITRE ATT&CK tactic for the attack discovery
  
  replacements object
  
  Replacements object used to anonymize/deanonymize messages
  
  Hide replacements attribute Show replacements attribute object
  
  * string Additional properties
  
  risk_score integer
  
  The optional, (but typically populated after generation) risk score of the alert
  
  summary_markdown string Required
  
  A markdown summary of attack discovery, using the same syntax
  
  timestamp string(nonempty) Required
  
  A string that represents a timestamp in ISO 8601 format and does not contain only whitespace characters.
  
  Minimum length is 1.
  
  title string Required
  
  A title for the attack discovery, in plain text
  
  user_id string
  
  The optional id of the user who generated the attack discovery
  
  user_name string
  
  The optional username of the user who generated the attack discovery, (not applicable to attack discoveries generated by rules)
  
  users array[object]
  
  The optional array of users who may view the attack discovery. When empty, (or not present), all users may view the attack discovery.
  
  Could be any string, not necessarily a UUID.
  
  Hide users attributes Show users attributes object
  
  id string
  
  User id.
  
  name string
  
  User name.
400 application/json

Generic Error
Hide response attributes Show response attributes object
- error string Required
  
  Error type
- message string Required
  
  Human-readable error message describing what went wrong with the bulk update request
- status_code number Required
  
  HTTP status code

POST /api/attack_discovery/_bulk

curl \
 --request POST 'http://localhost:5601/api/attack_discovery/_bulk' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data-raw '{
   "update": {
     "ids": [
       "c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f",
       "5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7"
     ],
     "kibana_alert_workflow_status": "acknowledged"
   }
 }'